0

Hi all,

I'm using my neighbors computers in hopes someone can help me fix my own ... not sure why or how it's happened, but my computer has been completely taken over I think. I've never seen one so aggressive. I'm unable to connect to the internet, and several programs won't run anymore, though I'm going to try installing them again - but renaming them first.

I know nothing about hijackthis, but ran it and saved a log for posting, I do hope someone can help guide me in the right direction with fixing this!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:29:24 PM, on 11/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\explorer.exe
E:\poopoo.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [*KB9222109.exe] "C:\Documents and Settings\Owner\Application Data\Adobe\plugs\KB9222109.exe" (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [*KB9222656.exe] "C:\Documents and Settings\Owner\Application Data\Adobe\plugs\KB9222656.exe" (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [*queuecentermsg.exe] "C:\Documents and Settings\All Users\Start Menu\Programs\queuecentermsg.exe" (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [*acleditevts.exe] "C:\Documents and Settings\Owner\Local Settings\Application Data\acleditevts.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 3502 bytes


Thanks,
Jennifer

3
Contributors
24
Replies
26
Views
6 Years
Discussion Span
Last Post by jholland1964
0

You have posted this problem at multiple forums. You should choose one and stay, doing steps from multiple places is never a good idea.
If you wish assistance here then complete the steps given in the link caperjack gave you and post back with all of the requested logs.
If you decide to stick with the other forum then please post that here so we can close this thread.

0

I did read it, but was in a hurry as I wasn't at home ... now I'll be running back and forth as I follow the steps, thanks for your patience!

0

Try this with the Infected computer to see if maybe you can get it online.
Shut down, and then attempt to boot to Safe Mode with networking. You may be able to get online with it that way because that may bypass the autostarting infection processes. If you can you can then do the steps that way.

If not then another thing to try is download the removal tools to a flash drive from the good computer and then run them from the flash drive on the infected computer.

0

Hi jholland,

I tried booting in safe mode with networking, but it still wouldn't let me connect. So I saved the programs to a usb, put them on my desktop and ran them that way.

All logs posted below.

I hope I've done this properly. When following the GMER steps 1 and 2, logs looked identical, so I ran it
again with the C drive ticked (show all unticked) *fingers crossed* it's done properly.

It's been 2 days now that this has happened and it seemed like everytime I ran a scan (Malwarebytes) it
would find something new BUT be worse once it restarted.

First it was re-directing whenever I searched something in Google, then I loss internet connection altogether
and now, once loaded it looks like the old Windows 98.

I'm also unable to view most folders/files I had on here. And when I do manage to navigate my way to them, they all say '0 KB' or whatever, implying they're empty.

I do have a format disk, and tried to load it only once - but didn't give me the option to format, so
removed it and did nothing.

Thank you kindly for your help, I appreciate it.

Jennifer

---------------------------------------

GMER ONE Log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-11-08 11:12:50
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-a ST380011A rev.8.01
Running: vl13yv88.exe; Driver: C:\DOCUME~1\OWNER~1.ANO\LOCALS~1\Temp\fgryypog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

---------------------------------------

GMER TWO Log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-08 11:25:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-a ST380011A rev.8.01
Running: vl13yv88.exe; Driver: C:\DOCUME~1\OWNER~1.ANO\LOCALS~1\Temp\fgryypog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

---------------------------------------

GMER TWO Log (WITH C CHECKED)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-08 11:59:07
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-a ST380011A rev.8.01
Running: vl13yv88.exe; Driver: C:\DOCUME~1\OWNER~1.ANO\LOCALS~1\Temp\fgryypog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB22812$\284603925 0 bytes
File C:\WINDOWS\$NtUninstallKB22812$\284603925\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB22812$\284603925\L 0 bytes
File C:\WINDOWS\$NtUninstallKB22812$\284603925\L\iqqkeugg 138496 bytes
File C:\WINDOWS\$NtUninstallKB22812$\284603925\loader.tlb 2540 bytes
File C:\WINDOWS\$NtUninstallKB22812$\284603925\U 0 bytes
File C:\WINDOWS\$NtUninstallKB22812$\284603925\U\@00000001 45968 bytes
File C:\WINDOWS\$NtUninstallKB22812$\284603925\U\@000000c0 3584 bytes
File C:\WINDOWS\$NtUninstallKB22812$\284603925\U\@000000cb 3072 bytes
File C:\WINDOWS\$NtUninstallKB22812$\284603925\U\@000000cf 1536 bytes
File C:\WINDOWS\$NtUninstallKB22812$\284603925\U\@80000000 23040 bytes
File C:\WINDOWS\$NtUninstallKB22812$\284603925\U\@800000c0 35840 bytes
File C:\WINDOWS\$NtUninstallKB22812$\284603925\U\@800000cb 23040 bytes
File C:\WINDOWS\$NtUninstallKB22812$\284603925\U\@800000cf 27648 bytes
File C:\WINDOWS\$NtUninstallKB22812$\384842055 0 bytes
File C:\WINDOWS\$NtUninstallKB42723$\270179308 0 bytes
File C:\WINDOWS\$NtUninstallKB42723$\284603925 0 bytes
File C:\WINDOWS\$NtUninstallKB42723$\284603925\L 0 bytes
File C:\WINDOWS\$NtUninstallKB42723$\284603925\U 0 bytes

---- EOF - GMER 1.0.15 ----

---------------------------------------

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/8/2011 1:13:44 PM
mbam-log-2011-11-08 (13-13-43).txt

Scan type: Full scan (C:\|)
Objects scanned: 197042
Time elapsed: 1 hour(s), 14 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------------------------------------

DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Owner at 13:18:19 on 2011-11-08
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
mStart Page = about:blank
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 24.222.0.94 24.222.0.95
TCP: Interfaces\{4B1181AD-2C3C-4A1A-B584-0E2F89D47A87} : DhcpNameServer = 24.222.0.94 24.222.0.95
TCP: Interfaces\{948D169E-BF0B-4B6A-B34B-CCB791739984} : DhcpNameServer = 24.222.0.94 24.222.0.95
TCP: Interfaces\{F02697C4-79F4-4662-A4C1-9D2691267DAB} : DhcpNameServer = 24.222.0.94 24.222.0.95
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner.anonymous\application data\mozilla\firefox\profiles\vq8gjy7z.default\
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-11-08 05:52:07 -------- d-----w- c:\documents and settings\owner.anonymous\local settings\application data\PCHealth
2011-11-08 05:51:32 -------- d-----w- C:\f6a563f40600f0fa37f24e4be0bdfa
2011-11-08 05:47:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-08 05:47:49 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-11-08 01:06:42 -------- d-----w- c:\documents and settings\owner.anonymous\application data\IObit
2011-11-08 01:06:37 -------- d-----w- c:\program files\IObit
2011-11-07 00:45:42 -------- d-----w- c:\documents and settings\owner.anonymous\application data\Malwarebytes
2011-11-07 00:45:16 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-07 00:45:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-06 05:08:15 -------- d-----w- c:\documents and settings\owner.anonymous\local settings\application data\Mozilla
2011-11-05 22:13:47 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-11-05 19:27:15 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-10-26 13:00:44 -------- d-----w- C:\Downloads
2011-10-25 20:41:08 77824 ----a-w- c:\windows\system32\xvid.ax
2011-10-25 20:41:07 -------- d-----w- c:\program files\common files\GeoVid
2011-10-25 20:41:03 60416 ----a-w- c:\windows\system32\dsetup.dll
2011-10-25 20:41:03 1712128 ----a-w- c:\windows\system32\gdiplus.dll
2011-10-24 17:15:00 -------- d-----w- c:\program files\CodeBlocks
2011-10-10 08:30:56 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-10-10 06:05:17 222080 ------w- c:\windows\system32\MpSigStub.exe
.
==================== Find3M ====================
.
2011-10-10 05:49:47 1737865 ----a-w- c:\documents and settings\all users\application data\bdinstall.bin
2011-10-08 22:53:24 54010721 ----a-w- C:\xampp-win32-1.7.7-usb-lite.exe
2010-07-08 15:37:14 101544 ----a-w- c:\program files\common files\LinkInstaller.exe
.
============= FINISH: 13:18:36.76 ===============

---------------------------------------

Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
.
==== Disk Partitions =========================
.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
µTorrent
Adobe AIR
Adobe Community Help
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
FileZilla Client 3.5.1
Foxit Reader
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB2443685)
iTunes
Java Auto Updater
Java(TM) 6 Update 21
K-Lite Codec Pack 6.9.0 (Basic)
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Mozilla Firefox 7.0.1 (x86 en-US)
MSVCRT
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
Platform
QuickTime
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Segoe UI
Spybot - Search & Destroy
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB955759)
Update for Windows XP (KB973687)
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
WebFldrs XP
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
WinRAR 4.00 beta 5 (32-bit)
.
==== End Of File ===========================

0

With the exception of the MBA-M program this computer has absolutely no security programs installed.
The database for MBA-M is out of date. You need to go to this link and download to the usb device from there and update the program and run it again.

http://malwarebytes.gt500.org/

0

HI, I updated that last night - not sure why it isn't saying so. :( Also disabled my anti-virus when I was scanning, then it wouldn't let me enable it again, so I uninstalled it ... not connected to the internet at this point, not sure what else to do. Thanks

0

The MBA-M program could not have updated unless it was online. You said you ran it from the usb drive, that was not online.

The program itself is the current version but the database is way out of date. The one shown on your log is Database version: 7622 and as of yesterday the database version was Database version: 8104 and as of right now the latest one is Database version: 8119 so you see the one you used was way out of date.

I see by the log you have used, at some time, msconfig to stop autostarting programs. Go back in there and re-enable everything that you have stopped. It may be that something you stopped would be a required file.

Your log shows at least one trojan on there, maybe more.

Edited by jholland1964: n/a

0

I used the 'manual' one, it was named mbam-rules.exe I believe, I'm not sure of what else to do honestly, as you may have guessed, I know very little about the system.

Ok, then that is the latest manual updater I believe. however, I did tell you what to do, go into msconfig and re-enable everything you have turned off, reboot and see then if you can get online in normal mode, if not then try again in Safe Mode with networking.

Edited by jholland1964: n/a

0

Man, I don't understand what's going on with this thing, so frustrating. I loaded msconfig, enabled all, restarted and nothing looked or behaved any differently. Likewise in safe mode, nothing.

Would it help to download and do a fresh install of Malwarebytes?

0

Try this:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Post back here with the Combofix log.

0

Thank you so much for doing all this by the way, I appreciate you taking the time ...

ComboFix was a no go, however :( Get the following:

This machine does not have the 'Microsoft Windows recovery console' installed. Alternately, an existing installation of the recovery console may be present but requies updating.

Without it, ComboFix shall not attempt the fixiing of some serious infections. Cick 'Yes' to have Combofix download/install it.

0

Hey, happy to try to help.

Ignore that warning and run the program. It's not a requirement. Many people don't have recovery partitions.

Edited by jholland1964: n/a

0

That was interesting to watch, and looks like it did a lot, but nothing looks or acts any different ... if it's supposed to!

Log:

ComboFix 11-11-08.02 - Owner 11/08/2011 19:39:30.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1656 [GMT -6:00]
Running from: c:\documents and settings\Owner.ANONYMOUS\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\All Users\Application Data\Tarma Installer
C:\Install.exe
c:\windows\$NtUninstallKB22812$
c:\windows\$NtUninstallKB22812$\284603925\@
c:\windows\$NtUninstallKB22812$\284603925\L\iqqkeugg
c:\windows\$NtUninstallKB22812$\284603925\loader.tlb
c:\windows\$NtUninstallKB22812$\284603925\U\@00000001
c:\windows\$NtUninstallKB22812$\284603925\U\@000000c0
c:\windows\$NtUninstallKB22812$\284603925\U\@000000cb
c:\windows\$NtUninstallKB22812$\284603925\U\@000000cf
c:\windows\$NtUninstallKB22812$\284603925\U\@80000000
c:\windows\$NtUninstallKB22812$\284603925\U\@800000c0
c:\windows\$NtUninstallKB22812$\284603925\U\@800000cb
c:\windows\$NtUninstallKB22812$\284603925\U\@800000cf
c:\windows\$NtUninstallKB22812$\384842055
c:\windows\$NtUninstallKB42723$
c:\windows\$NtUninstallKB42723$\270179308
c:\windows\system32\
c:\windows\XSxS
.
c:\windows\system32\drivers\cdrom.sys . . . is missing!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_.serial
-------\Service_10f6b615
.
.
((((((((((((((((((((((((( Files Created from 2011-10-09 to 2011-11-09 )))))))))))))))))))))))))))))))
.
.
2011-11-09 01:52 . 2011-11-09 01:52 -------- d-----w- c:\windows\system32\xircom
2011-11-09 01:52 . 2011-11-09 01:52 -------- d-----w- c:\windows\system32\wbem\snmp
2011-11-09 01:52 . 2011-11-09 01:52 -------- d-----w- c:\windows\system32\oobe
2011-11-09 01:52 . 2011-11-09 01:52 -------- d-----w- c:\program files\microsoft frontpage
2011-11-09 00:44 . 2011-11-09 00:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-09 00:44 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-09 00:35 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-09 00:35 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-09 00:35 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-09 00:35 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-09 00:35 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-09 00:35 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-09 00:35 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-09 00:35 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-09 00:34 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-09 00:34 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-09 00:33 . 2011-11-09 00:33 -------- d-----w- c:\program files\AVAST Software
2011-11-09 00:18 . 2011-11-09 00:18 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2011-11-08 05:51 . 2011-11-08 05:51 -------- d-----w- C:\f6a563f40600f0fa37f24e4be0bdfa
2011-11-08 05:47 . 2011-11-08 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-11-08 05:47 . 2011-11-08 05:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-08 04:19 . 2011-11-08 04:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2011-11-08 04:18 . 2011-11-08 04:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-11-08 01:06 . 2011-11-08 01:06 -------- d-----w- c:\program files\IObit
2011-11-06 05:02 . 2011-11-06 05:05 -------- d-----w- c:\documents and settings\Owner.ANONYMOUS
2011-11-06 04:03 . 2011-11-06 04:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Orbit
2011-11-06 03:57 . 2011-11-06 03:57 47360 ----a-w- c:\documents and settings\Administrator\Application Data\pcouffin.sys
2011-11-06 03:57 . 2011-11-06 03:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso
2011-11-06 03:53 . 2011-11-06 03:53 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2011-11-05 23:26 . 2011-11-05 23:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth
2011-11-05 22:13 . 2011-11-09 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-11-05 19:27 . 2011-11-06 21:11 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-11-04 08:08 . 2011-11-04 08:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-26 13:00 . 2011-10-26 14:24 -------- d-----w- C:\Downloads
2011-10-25 20:41 . 2007-06-29 00:55 77824 ----a-w- c:\windows\system32\xvid.ax
2011-10-25 20:41 . 2011-10-25 20:41 -------- d-----w- c:\program files\Common Files\GeoVid
2011-10-25 20:41 . 2005-06-07 21:11 60416 ----a-w- c:\windows\system32\dsetup.dll
2011-10-25 20:41 . 2004-08-18 21:00 1712128 ----a-w- c:\windows\system32\gdiplus.dll
2011-10-24 17:15 . 2011-10-24 17:19 -------- d-----w- c:\program files\CodeBlocks
2011-10-10 08:30 . 2011-10-10 08:30 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-10-10 06:05 . 2011-05-25 00:14 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 05:49 . 2011-05-08 22:58 1737865 ----a-w- c:\documents and settings\All Users\Application Data\bdinstall.bin
2011-10-08 22:53 . 2011-10-08 22:49 54010721 ----a-w- C:\xampp-win32-1.7.7-usb-lite.exe
2010-07-08 15:37 . 2010-07-08 15:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
2011-10-07 01:11 . 2011-04-15 15:12 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 16844800]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]
"FlashPlayerUpdate"="c:\windows\system32\macromed\flash\FlashUtil10c.exe" [2009-10-19 257440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2007-08-03 11:22 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wampmysqld"=3 (0x3)
"wampapache"=3 (0x3)
"VSSERV"=2 (0x2)
"Updatesrv"=2 (0x2)
"Update Server"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"MsMpSvc"=2 (0x2)
"AdvancedSystemCareService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/8/2011 6:35 PM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/8/2011 6:35 PM 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/8/2011 6:35 PM 20568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/8/2011 6:44 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/8/2011 6:44 PM 22216]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]
S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 2:29 AM 9472]
S1 MpKsl86e022e9;MpKsl86e022e9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8C00EAF6-C45B-4202-961C-3FC104E38A9A}\MpKsl86e022e9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8C00EAF6-C45B-4202-961C-3FC104E38A9A}\MpKsl86e022e9.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
TCP: DhcpNameServer = 24.222.0.94 24.222.0.95
FF - ProfilePath - c:\documents and settings\Owner.ANONYMOUS\Application Data\Mozilla\Firefox\Profiles\vq8gjy7z.default\
.
.
------- File Associations -------
.
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-{7605B730-00EE-D140-713B-F621175C8787} - c:\documents and settings\Owner\Application Data\Oqs\ixukwiy.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKLM-Run-MSC - c:\program files\Microsoft Security Client\msseces.exe
HKLM-Run-mqqjUUCelI - c:\documents and settings\Owner\Application Data\dwme.exe
HKLM-Run-AdobeCS5ServiceManager - c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
HKU-Default-RunOnce-tscuninstall - c:\windows\system32\tscupgrd.exe
MSConfigStartUp-Advanced SystemCare 4 - c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe
MSConfigStartUp-BDAgent - c:\program files\BitDefender\BitDefender 2011\bdagent.exe
MSConfigStartUp-BitDefender Antiphishing Helper - c:\program files\BitDefender\BitDefender 2011\ieshow.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-08 19:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,2e,3c,16,65,80,c3,48,93,bf,8c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,2e,3c,16,65,80,c3,48,93,bf,8c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(960)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-08 19:58:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-09 01:58
.
Pre-Run: 70,345,318,400 bytes free
Post-Run: 70,246,342,656 bytes free
.
- - End Of File - - EE79171B3A464EE22AAC29B3F9BDCD74

0

Still can't get online no. I've restarted again - I don't even see the little network connection icon in the bottom right hand corner either, tried clicking to update MalwareBytes and the error was 'address not found'. There's nothing showing in the connections section and my desktop still looks like the old 98. Quite a mess isn't it?

0

Ha, device manager is empty ... gonna Google and see what I can find about that one.

It seems most of the services are stopped, with no option of enabling them ... still looking.

Edited by prettikittie: n/a

0

Start, Control Panel, opening Administrative Tools and then clicking on Services.
Scroll down and find the Plug and Play service. Double-click on it and make sure the Start up type is set to Automatic and click Start if the service is not running.
Check to see if your Device Manager is still blank or not. If it is, then you can also try to enable more Windows Services by going to Start, Run and typing in MSCONFIG. Click on the Services tab and choose Enable All.
Also make sure checkbox NOT selected in "hide all MS services" at bottom of
dialog box
Restart the computer.

Why were you in Device Manager?

Edited by jholland1964: n/a

0

This is what I get: The plug and play service or another required service is not available.

I Googled about not being able to connect, and it was suggested in an existing thread to view the device manager to see if it was running, I didn't click or change anything.

When going into msconfig, everything is checked (hide all isn't) yet, nearly everything shows as 'stopped'.
Are there certain services needed to be running before others will work?

Sorry if I'm driving you crazy!

0

Task manager is where you look for running processes, not Device manager. That shows hardware installed, not if it is running.

Did you go to Administrative Tools, Services? That is where you start services.

Select the Plug and Play service and click Start.

To prevent the error from occurring in the future, do the following:

Services.
Select the Plug and Play service and click Startup.
Click to select the Automatic option in the Startup Type section.

Edited by jholland1964: n/a

0

Hi,

Well, this is where I'm at now ... computer is looking like windows xp again, still missing any existing files, etc I had and my connection icon hangs and reads, something like "acquiring network address". I typed services.msc and when it comes up, it's showing dhcp and a few others not started, when I look at the dependencies tab, it's showing a few needed that aren't even there. AFD, etc.

0

Hate to say this but think you have gone as far as possible in attempting to clean the machine. There are obviously key system files damaged and your best option now is to reformat the machine back to factory and reload the operating system. Attempting to do any further clean ups will be virtually impossible.

0

Yeah, I was fearing that would be the only way to go. I was hoping I could download any missing drivers and give that a try, but it isn't looking like that's gonna be an option. :|

Thank you for all your help, I do appreciate it!

x

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.